Following the July 12, 2019, release of “Power Reactor Cyber Security Program Assessment,” the Nuclear Regulatory Commission’s (NRC’s) Director of Physical and Cyber Security Policy in the Office of Nuclear Security and Incident Response issued a memorandum to NRC Staff on August 6, 2019.

The memorandum provides guidance to Staff on next steps, but also cautions that when initiating changes to the Cyber Security Program they keep several points in mind. Specifically, the Director asks Staff to ensure that changes do not adversely impact other areas of the program; that guidance revisions are consistent and incorporated throughout all documents; that, where necessary, a backfit analysis is performed; and that no changes constitute an unreasonable risk to public health and safety.

The memorandum reminds Staff that their next step, per the assessment, is to present a draft action plan by September 20, 2019. The action plan should identify enhancements to the Cyber Security Program that promote regulatory efficiency and effectiveness, while continuing to provide for reasonable assurance of public health and safety and promote common defense and security. The memorandum also praises NRC Staff for its efforts in conducting the assessment.

We will continue to monitor developments for cybersecurity at the NRC.

On July 25, 2019, the United States Government Accountability Office (GAO) released GAO-19-384, a report to congressional requesters analyzing the cybersecurity risk management of 23 civilian agencies—including the Nuclear Regulatory Commission (NRC). Using key elements such as risk tolerance and risk mitigation strategies, GAO examined the extent to which all agencies established a cybersecurity risk management program; what challenges, if any, agencies identified in developing and implementing such programs; and what steps the Office of Management and Budget (OMB) and the US Department of Homeland Security (DHS) have taken to meet their risk management responsibilities to address any challenges agencies face in this area. In its analysis, GAO compared policies and procedures from the 23 civilian agencies to key federal cybersecurity risk management practices, attained the agencies’ own views on challenges they faced, identified and analyzed actions taken by the OMB and DHS to determine whether such actions address agency challenges, and interviewed responsible agency officials.